How Windows Determines That the File Has Been Downloaded from the Internet

In one of the previous articles, we mentioned that when trying to open an executable file downloaded from the Internet Windows shows a security warning of running a potentially dangerous content (For details, see How to Disable Security Warnings in Windows). How does the system determines that the file has been downloaded from the Internet? Let’s try to find it out.

All executable files downloaded from the Internet in a browser get a special marker. This rule is supported not only by Internet Explorer, but also by other popular browsers, like Mozilla Firefox and Google Chrome. When copying, renaming or moving a file to another NTFS partition, the marker still stays along.

This marker is an alternative NTFS file stream.

Note. The alternative NTFS data streams allow to create several extra data (metadata) streams for each NTFS file. By default, all file data are stored in the main stream, but it is possible to create for a file one or more additional streams and their size may even exceed the size of the primary file streem. The majority of applications (including Windows Explorer) work only with the standard stream and cannot read data from the alternative NTFS data streams.

To make sure that a special marker has been assigned to a file downloaded from the Internet, display the list of files for the directory containing distributions using the following command:

dir /r

As we can see, the alternative stream Zone.Identifier has been assigned to the executable files, like install_flash_player_16_active_x.exe:Zone.Identifier.

Open the alternative stream in Notepad:

Notepad.exe install_flash_player_16_active_x.exe:Zone.Identifier

We can see that this stream is a file containing a section [ZoneTransfer], in which a transfer zone ID (ZoneId) is specified. (These are the security zones that can be found in IE settings.) The transfer zone ID can contain one of the five values from 0 to 4.

ZoneId=0: Local machine

ZoneId=1: Local intranet

ZoneId=2: Trusted sites

ZoneId=3: Internet

ZoneId=4: Restricted sites

When you download a file from a security zone, a browser assigns a corresponding ZoneId to it. When trying to run a file with ZoneId equal to 3 or 4 in its alternative NTFS stream, based on this ID the system detects that a file has been downloaded from the Internet or an untrusted source. Windows has been checking this marker of executable files since Windows XP SP2.

To delete this marker (the alternative stream) manually, you should only click Unblock in the file properties.

Make sure that this file doesn’t have the alternative stream now.

Tip. To prevent assigning markers to the downloaded files, you can save the files downloaded from the Internet to a file system different from NTFS, like FAT, exFat, etc.

Actually, Windows doesn’t have any tools to deal with the alternative data streams. For instance, if you have to delete them from a number of files at once, you’d better use a third-party console tool by Mark Rusinovich — streams.

For example, to recursively delete the alternative streams of all executable files in c:\Download\, run this command:

c:\TOOLS\streams.exe -s -d c:\Download\*.exe

In the command prompt, you can see that the alternative stream of a file has been deleted: Deleted :Zone.Identifier:$DATA

Important. Streams deletes all alternative streams of the specified files and doesn’t allow to target a certain stream. So, do not run the streams command as streams.exe -s -d c:\*.exe, since it can result in the system failure after the important information contained in the alternative NTFS streams has been deleted.

In PowerShell 3.0, you can display the list of files with Zone.Identifier stream in a directory using this command: